From 9480de29db25982c75a7317ba779eec3d3847781 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@php.net>
Date: Mon, 6 May 2013 10:00:45 +0200
Subject: [PATCH] Revert removal of overflow2 use in gd.c Function provided by
 gd_security with bundled libgd Function provided by gd_compat with system
 libgd

This fix failed test imageloadfont_invalid.phpt
This test now also pass with system libgd
---
 ext/gd/gd.c                             |  7 ++-----
 ext/gd/gd_compat.c                      | 16 ++++++++++++++++
 ext/gd/gd_compat.h                      |  6 ++++++
 ext/gd/tests/imageloadfont_invalid.phpt |  1 -
 4 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index d463444120..d6d2848d41 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -57,9 +57,8 @@
 # include <X11/xpm.h>
 #endif
 
-#ifndef HAVE_GD_BUNDLED
 # include "gd_compat.h"
-#endif /* HAVE_GD_BUNDLED */
+
 
 static int le_gd, le_gd_font;
 #if HAVE_LIBT1
@@ -1468,9 +1467,7 @@ PHP_FUNCTION(imageloadfont)
 		body_size = font->w * font->h * font->nchars;
 	}
 
-	if ((font->nchars <= 0 || font->h <= 0 || font->w <= 0 ) || \
-		(font->nchars > INT_MAX / font->h) || \
-		(font->nchars * font->h > INT_MAX / font->w)) {
+	if (overflow2(font->nchars, font->h) || overflow2(font->nchars * font->h, font->w )) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font, invalid font header");
 		efree(font);
 		php_stream_close(stream);
diff --git a/ext/gd/gd_compat.c b/ext/gd/gd_compat.c
index 35b6457858..14538d401f 100644
--- a/ext/gd/gd_compat.c
+++ b/ext/gd/gd_compat.c
@@ -10,6 +10,7 @@
 #endif
 
 #include "gd_compat.h"
+#include <TSRM.h>
 
 #ifdef HAVE_GD_JPG
 int gdJpegGetVersionInt()
@@ -45,3 +46,18 @@ const char * gdPngGetVersionString()
 }
 #endif
 
+int overflow2(int a, int b)
+{
+	TSRMLS_FETCH();
+
+	if(a <= 0 || b <= 0) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "gd warning: one parameter to a memory allocation multiplication is negative or zero, failing operation gracefully\n");
+		return 1;
+	}
+	if(a > INT_MAX / b) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n");
+		return 1;
+	}
+	return 0;
+}
+
diff --git a/ext/gd/gd_compat.h b/ext/gd/gd_compat.h
index ea812ea2c4..db757f5988 100644
--- a/ext/gd/gd_compat.h
+++ b/ext/gd/gd_compat.h
@@ -1,8 +1,14 @@
 #ifndef GD_COMPAT_H
 #define GD_COMPAT_H 1
 
+#ifndef HAVE_GD_BUNDLED
+/* from gd_compat.c */
 const char * gdPngGetVersionString();
 const char * gdJpegGetVersionString();
 int gdJpegGetVersionInt();
+#endif
+
+/* from gd_compat.c of libgd/gd_security.c */
+int overflow2(int a, int b);
 
 #endif /* GD_COMPAT_H */
diff --git a/ext/gd/tests/imageloadfont_invalid.phpt b/ext/gd/tests/imageloadfont_invalid.phpt
index 07bf150ac8..6cf0e336b6 100644
--- a/ext/gd/tests/imageloadfont_invalid.phpt
+++ b/ext/gd/tests/imageloadfont_invalid.phpt
@@ -3,7 +3,6 @@ imageloadfont() function crashes
 --SKIPIF--
 <?php 
 	if (!extension_loaded('gd')) die("skip gd extension not available\n"); 
-	if (!GD_BUNDLED) die('skip external GD libraries always fail');
 ?>
 --FILE--
 <?php
-- 
2.40.0